Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it again! He has just released the 2nd edition of "Max Power".Rather than get into details here, I urge you to check out this announcement post. It's a massive upgrade, and well worth checking out. -E

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Network monitoring on Checkpoint ext interface

Hello,

My Checkpoint 4400 is my external firewall. I have upstream proxys from the dmz that go through this firewall to the internet. Some users are complaining that internet is slow on my corporate LAN but i can see the CPU and resources on the checkpoint is ok at less than 50%

What network monitoring software could i use to see what traffic is being used going via the Checkpoint firewall. Bear in mind i dont have access to the proxy servers. I need to get my own network monitoring software for the external firewall

Re: Network monitoring on Checkpoint ext interface

Originally Posted by oharek

Hello,

My Checkpoint 4400 is my external firewall. I have upstream proxys from the dmz that go through this firewall to the internet. Some users are complaining that internet is slow on my corporate LAN but i can see the CPU and resources on the checkpoint is ok at less than 50%

What network monitoring software could i use to see what traffic is being used going via the Checkpoint firewall. Bear in mind i dont have access to the proxy servers. I need to get my own network monitoring software for the external firewall

any ideas?

Keep in mind processor consumption can be measured across all cores, or across a single core. 50% across all cores could be (and often is) 100% of one core. Same for 25% across all cores on a four-core box. When monitoring with 'top', hit the '1' key to show processor consumption per core.

For actual traffic monitoring, I would use one of two tools: fw monitor, or tcpdump.

tcpdump is a bit closer to the wire. It also shows MAC addresses, while fw monitor does not. This is my preferred tool for measuring latency on one side of a firewall. You can run many tcpdump captures at once by either backgrounding them or by running them in separate SSH sessions.

fw monitor, on the other hand, is great for measuring the latency caused by the firewall itself. It shows how long a packet takes to transit the software components inside the firewall with very good precision. It is also good for showing how the firewall changes a packet as it travels. You can see NAT decisions, routing, VPN, and so on. The biggest disadvantages are it doesn't record MAC addresses (you get interface name and network kernel position instead), and you can only run one at a time.

Re: Network monitoring on Checkpoint ext interface

Originally Posted by Bob_Zimmerman

Keep in mind processor consumption can be measured across all cores, or across a single core. 50% across all cores could be (and often is) 100% of one core. Same for 25% across all cores on a four-core box. When monitoring with 'top', hit the '1' key to show processor consumption per core.

For actual traffic monitoring, I would use one of two tools: fw monitor, or tcpdump.

tcpdump is a bit closer to the wire. It also shows MAC addresses, while fw monitor does not. This is my preferred tool for measuring latency on one side of a firewall. You can run many tcpdump captures at once by either backgrounding them or by running them in separate SSH sessions.

fw monitor, on the other hand, is great for measuring the latency caused by the firewall itself. It shows how long a packet takes to transit the software components inside the firewall with very good precision. It is also good for showing how the firewall changes a packet as it travels. You can see NAT decisions, routing, VPN, and so on. The biggest disadvantages are it doesn't record MAC addresses (you get interface name and network kernel position instead), and you can only run one at a time.

Thanks for the advice. I will try both tcpdump and fw monitor - plus check the cores and cpu stats

Re: Network monitoring on Checkpoint ext interface

Hi there.... have you checked you Internet access speed with your ISP? Is the Internet access still slow during non-peak hours? What about testing a direct connection through the firewall (not using prox)